Since the first Geneva Convention was signed, medical workers have been granted special status and hospitals have been recognised as neutral territory. In the future, we will probably need some kind of online counterpart; healthcare companies suffer from cyber-attacks no less than other targets do. The big difference is that in the case of public health companies, what’s at stake is not only business, but also human health.
However, even if such a convention comes into force, it will not rid medical companies of the necessity of providing full-fledged protection against cyber-threats. Quite often, malefactors launch “mass destruction” attacks, and as much as they would like to affect the way the victims are chosen, altering the selection isn’t possible.
For example, take a couple of recent epidemics, WannaCry and ExPetr. At first glance, both seemed to be encrypting attacks, and both affected a vast number of healthcare enterprises.
The first, the notorious WannaCry, launched on May 12, 2017. During the Trojan’s first days, more than 200,000 computers fell victim. Those damaged the most by the attack included organisations participating in the British National Health Service (NHS). Clinics across both England and Scotland were affected. Some of them turned off their e-mail services to prevent infection from penetrating local networks. Many clinics even had to ask their clients to turn to other clinics’ services if they didn’t require urgent medical treatment.
The second epidemic, ExPetr, spread through the servers of Ukrainian tax reporting software. Therefore, companies filing their tax documents, including healthcare companies, were at risk. It was not only Ukrainian companies that suffered; a large Russian private medical company, INVITRO, which specialises in laboratory analyses, was among the attack victims as well. The company’s computers were out of order for about five days.
Both epidemics encrypted computer data, and in both cases, decrypting the data was not possible even if companies paid the ransom. But the most important point here is that WannaCry and ExPetr would not be such dreadful threats if the affected companies had a considered cyber-security strategy in place.
Still, malware epidemics are not the only threat. According to data published by the Identity Theft Resource Centre, a noncommercial organisation, almost one-fourth of the incidents (24.8%) that resulted in personal data theft in the first half of 2017 took place in organisations associated with medicine or healthcare. And of course, this is a field in which personal data often contain highly classified or confidential information.
Kaspersky Lab pays particular attention to healthcare security. We have been collaborating with large medical companies for years already. We know what to protect and, more important, how exactly to protect it.